Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sidlab1584
Explorer
Jump to solution

Mgmt_cli show access-rule base issue

I am trying to export 0 hit rules, I found some old discussion. and articles  

Solved: Re: Export of rules with zero hits in dashboard - Check Point CheckMates

Solved: Disable/Delete Rules with a Zero Hit Count (MDS or... - Check Point CheckMates

 

My environment is MDS, I have inline policy layers. When I run mgmt_cli , I can see the packages

 

[Expert@MDS-01:0]# mgmt_cli -r true --port 443 show packages -d "172.16.31.117" --format json | jq '.packages[] | .name' | sed 's/\"//g'
EXT-OTT
Standard

 

However, when I try to see the rule base, it says object not found. 


[Expert@MDS-01:0]# mgmt_cli show access-rulebase offset 0 limit 20 name "EXT-OTT" details-level "standard" use-object-dictionary true
Username: admin
Password:
code: "generic_err_object_not_found"
message: "Requested object [EXT-OTT] not found"

[Expert@MDS-01:0]# ^C
[Expert@MDS-01:0]# mgmt_cli -r true --port 443 show access-rulebase name "EXT-OTT" -d "172.16.31.117" show-hits true --format json limit 50000
{
"code" : "generic_err_object_not_found",
"message" : "Requested object [EXT-OTT] not found"

 

What am I missing here?

Sorry I am new to API calls and programming; I work mostly on firewalls. 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

EXT-OTT is the name of the policy package, which is made up of one or more policy layers.
The layers are where the policy is defined.

To get the top-level layers involved: mgmt_cli --format json --session-id xxx show package name Standard | jq '."access-layers"[]'
You can then look at the correct rulebase: mgmt_cli --format json --session-id xxx show access-rulebase uid 6a5b4108-a94e-4f5d-974b-8d8c431fdd5f

Do not use the "limit" parameter to exceed the specification in the API documentation as it is not guaranteed to return all the requested results and may result in performance issues (500 is max for show access-rulebase).
Also, if you have inline layers, you will have to parse the results to find out what inline layer is referenced and do a show access-rulebase on those as well.

View solution in original post

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

EXT-OTT is the name of the policy package, which is made up of one or more policy layers.
The layers are where the policy is defined.

To get the top-level layers involved: mgmt_cli --format json --session-id xxx show package name Standard | jq '."access-layers"[]'
You can then look at the correct rulebase: mgmt_cli --format json --session-id xxx show access-rulebase uid 6a5b4108-a94e-4f5d-974b-8d8c431fdd5f

Do not use the "limit" parameter to exceed the specification in the API documentation as it is not guaranteed to return all the requested results and may result in performance issues (500 is max for show access-rulebase).
Also, if you have inline layers, you will have to parse the results to find out what inline layer is referenced and do a show access-rulebase on those as well.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events